Lebanon explosions raise alarm about supply chain security, safety of tech

The use of pagers and walkie-talkies in back-to-back coordinated explosions in Lebanon has drawn scrutiny to the security of global supply chains and their vulnerability to tampering by governments or other actors.

The utilisation of thousands of electronic devices in the apparent attacks, which are widely believed to have been orchestrated by Israel as part of an operation targeting Lebanon’s armed group Hezbollah, has raised the spectre of everyday communications equipment being weaponised in the future.

Tech companies are likely to see the attacks as a powerful reminder of the importance of securing their supply chains, while the general public’s trust in technology may also take a hit, tech industry and supply chain analysts told Al Jazeera.

“Every company that makes or sells physical devices will be worrying about the integrity of their supply chain,” said James Grimmelmann, Tessler Family professor of digital and information law at Cornell Tech and Cornell Law School in the United States.

“They are likely to consider adding additional safeguards and verifications so that they can better detect and prevent moves like this.”

While Israel has been implicated in assassinations using tampered communications devices before – including the 1996 killing of Hamas bombmaker Yahya Ayyash via an explosives-rigged mobile phone – the scale of the attacks, involving thousands of simultaneous detonations, was unprecedented.

At least 32 people were killed and more than 3,100 were injured in the explosions on Tuesday and Wednesday, including Hezbollah members and civilians, according to Lebanese authorities.

Erosion of public trust

Brian Patrick Green, director of technology ethics at the Markkula Center for Applied Ethics at Santa Clara University in the US, described the attacks as a potential watershed for the public’s trust in their electronic devices.

“Somehow thousands of devices were turned into weapons without anyone noticing it. How widespread are these explosive devices? How did the explosives get into the devices or the device supply chains? This attack raises terrifying questions that were never even considered before,” Green said.

Mariarosaria Taddeo, a professor of digital ethics and defence technologies at University of Oxford, said the attacks set a concerning precedent as they involved interference with the supply chain “not for a specific act of sabotage but for a distributed, highly impactful attack”.

“This scenario has been considered by experts but less so by state actors. If something good comes out of them, this is going to a public debate on control of the supply chain, strategic autonomy over digital assets, and digital sovereignty,” Taddeo said.

While it is unclear exactly how the pagers and walkie-talkies were turned into explosive devices, Lebanese and US officials have told multiple media outlets that Israeli intelligence booby-trapped the devices with explosive materials.

Israel has not commented to either confirm or deny responsibility.

Taiwanese company Gold Apollo, whose brand of pagers were used in the attacks, on Wednesday denied manufacturing the deadly devices, saying they had been made under licence by a company called BAC.

Gold Apollo’s CEO Hsu Ching-kuang told US radio NPR that BAC had paid his company through a Middle Eastern bank account that was blocked at least once by his firm’s Taiwanese bank.

BAC, which is based in Hungary’s capital Budapest, has not responded to requests for comment.

On Thursday, The New York Times, citing three unnamed intelligence officials, reported that BAC was an Israeli front set up to manufacture the explosive pagers.

Icom, a radio equipment maker based in Japan, said it had stopped producing the model of radios reportedly used in the attacks about 10 years ago.

“It was discontinued about 10 years ago, and since then, it has not been shipped from our company,” Icom said in a statement.

“The production of the batteries needed to operate the main unit has also been discontinued, and a hologram seal to distinguish counterfeit products was not attached, so it is not possible to confirm whether the product shipped from our company.”

Patrick Lin, director of Ethics + Emerging Sciences Group at California Polytechnic State University (Cal Poly), said there are important questions about where in the supply chain the devices were compromised.

“Was it during the manufacturing process, or in transit, or at the system operator’s level right before the devices are assigned to individuals?” Lin said.

“If it were done during the manufacturing process, then other technology manufacturers should be more concerned, as the other ways are outside their control. If the pager manufacturer wasn’t a willing accomplice in such a scenario, then their operational security was seriously compromised.”

How will tech companies respond?

However the devices may have been tampered with, the attacks could further accelerate moves towards technology that is “homegrown within a nation’s borders for tighter control of supply-chain security, whether it’s smartphones, drones, social media apps, whatever,” Lin said.

Milad Haghani, a supply chain expert at the School of Civil and Environmental Engineering at the University of New South Wales in Australia, said he expects to see a “widespread reckoning” that will lead companies to tighten their supply chain security protocols.

“For tech companies in general, this situation is unprecedented in its scale, and many likely haven’t taken the security of their production processes as seriously before,” Haghani said.

“Many companies may not have been fully equipped to handle such threats,” he said, adding that the explosions in Lebanon will lead to a significant ramp-up in security efforts within organisations.

Smartphone giants such as Apple, Samsung, Huawei, Xiomi and LG are viewed as less vulnerable to being compromised than smaller companies, analysts said, citing reasons including their greater attention to security, the relatively targeted nature of the operation against Hezbollah, and the more limited space in their devices in which to place substances such as explosives.

“There will be curiosity but their production and delivery chains are completely different to small-scale companies, including vendors of counterfeit transceivers. So at least now there’s no reason to consider that they may be affected,” said Lukasz Olejnik, a visiting senior research fellow of the Department of War Studies of King’s College London.

“However, the big companies may be inclined to highlight the differences in their ways of doing things.”

Others expressed less confidence that Big Tech is immune from such concerns, pointing to the fact that companies rely on smaller suppliers that may make for easier targets or that they have cooperated with governments to target individuals in less deadly ways, most notably to spy on their communications.

“The Israeli government has already been accused of essentially using the NSO group’s spyware as a privatised intelligence service, and indeed just this week Apple dropped its suit against NSO out of fear that its security secrets would leak,” Grimmelmann said.

“This is deeply disturbing, and citizens should not allow their governments to literally weaponise consumer technology like this.”

Apple, Samsung, Huawei, Xiomi and LG did not immediately respond to requests for comment.

Andrew Maynard, a professor at the School for the Future of Innovation in Society at Arizona State University (ASU), said the attacks are bound to shift perceptions of personal electronics “from devices that are absolutely safe, to devices that could possibly be co-opted and used to cause serious harm”.

“I wouldn’t be surprised to see this leading to growing suspicion and anxiety over whether the devices people use on an everyday basis are safe, and serious efforts from major companies to assure their customers that they are,” Maynard said.

“There are also a number of broader ramifications to the attacks. Before September 17, the idea of using personal devices to take out a well-defined group of people wasn’t part of the global zeitgeist. Now it is.”

While supporters and critics of Israel have clashed over whether the attacks should be viewed as a discriminating blow against military targets or a reckless act that put civilians in harm’s way, the blasts have also raised the possibility of other actors taking inspiration from such tactics.

Haghani said that while it would be difficult for most actors to pull off such attacks, they raised the need to ensure that “non-state actors, who might have fewer moral boundaries, don’t exploit supply chains in this way”.

Maynard, the ASU professor, said non-state armed groups could see such tactics as a “plausible way to create fear and push their agendas”.

“In effect, a door has been opened to a new form of terror campaign – one where individuals face the possibility of the device in their pocket – or their child’s hand – becoming an agent of destruction,” he said.

“The counterargument to this is that it is still likely to be exceptionally costly and challenging to take an off-the-shelf phone for instance and weaponize it. But now that the idea is out there, the possibility of this has likely increased.”